How to stay in control of file sharing and data access security when Microsoft Copilot kicks in

Maybe you’ve got your Data Security Posture Management (DSPM) strategy up and running or you’re in the throes of improving your Data Access Security within Microsoft 365?

Microsoft Copilot, is of course, in its infancy and whilst the development and adoption is evolving at great speed, there are some clear early signs of the effect Copilot could have on your data access governance within Microsoft 365.

Here, Torsion takes an initial look at the Microsoft 365 data governance risks Copilot could expose and how to incorporate Copilot into your DSPM strategy.

Background to Microsoft Copilot

Copilot appears in Microsoft 365 apps as a useful AI chatbot on the sidebar. It’s a tool to help create documents, assist in meetings, design presentations and much more. It can be used throughout Microsoft’s full Office suite e.g. Microsoft Teams, Outlook, PowerPoint and Word. It pulls data from various sources – the data within an organisations internal Microsoft 365 estate being the primary source.

Up until last week (January 2024) Copilot had an eye watering price tag and a minimum of 300 users. That’s all changed now with the launch of 2 new options: Copilot Pro for individuals ($20 per month/per user) and the expansion of Copilot for Microsoft 365 to businesses of all sizes (Microsoft 365 Business Premium and Business Standard Customers can purchase between one and 299 seats for $30 per person per month).

This means that thousands more businesses are now using the AI, creating millions of new documents within Microsoft 365 and then sharing them with colleagues, partners and customers.

The impact of Copilot on Data Access Security

There are multiple considerations for your organisations data access governance when introducing Copilot:

1 Copilot will expose risks that you didn’t know you had.

Without automation, it’s practically impossible to know of every single piece of information, file or folder that exists within your organisation. Plus, within nearly every organisation there are hundreds of hidden files, folders and sites that are in nested folders and pretty much invisible to the human eye. And because they’ve probably been hidden for a while, they’re usually out of date. However, whilst they’re invisible to the organisation, they won’t be invisible to Copilot and so a new layer of security risks will be exposed. Microsoft have issued the following guidance before you deploy Copilot:

Prepare your data and assess all relevant data security, privacy, and compliance controls are in place. Copilot inherits your existing permissions and policies so ensuring that these are in place helps ensure seamless deployment.  Conduct access reviews for SharePoint sites, documents and tenant data, employ the use of sensitivity labels to protect important data, and validate policies for data loss prevention, retention, and compliance.

You can access a library of Copilot guidance and information at their document hub

2. Copilot will gather information from ALL data

It’s one thing finding out you probably have hidden and out of date files, folders and sites you didn’t know existed within Microsoft 365 – it’s another when Copilot starts finding that data and pulling it into lovely new, shiny documents that are likely going to be shared amongst colleagues, partners and customers.

The data could contain out of date information or sensitive data that hasn’t been secured. The security risks all of a sudden increase.

Make sure you have complete visibility of all of your data and check for any out of date access before you give Copilot free reign.

3. Copilot inherits your existing permissions and policies

This is perfectly acceptable and logical but it’s worth reviewing those permissions before deploying Copilot.

Once again, it’s impossible for IT teams to manually check permissions with so much data now in the cloud. Automation is required to identify and control any obsolete or inappropriate permissions. Once these have been reviewed, the security risks of Copilot accessing data that somebody shouldn’t have access to decreases significantly.

4. Different Copilots could mean different data sources

Now there are different options available for Copilot, it’s worth noting that data could be pulled from a wider variety of sources. You may have the bulk of your team using Copilot through your corporate Microsoft 365 licenses but you may also be working with individuals (consultants, associates, partners maybe) that are using the new Copilot Pro version. The pool of data can increase quite rapidly.

It’s worth checking if this could be a security risk for your organisation and if so, incorporate it into your Data Access Governance.

5. Copilot is evolving fast

Copilot is very much in its infancy and it’s evolving fast. It’s vital to stay on top of updates and security advice as deployment grows. There are some really good community hubs for Copilot users so why not join one and keep learning as the deployment of Copilot grows. We’ll keep you updated on your DSPM and Data Access Security considerations too.

How can Torsion secure the data Copilot has access to?

Torsion will automatically find your hidden and out of date files before Copilot can access them. It gives you complete visibility of every single piece of data you own along with how its being used.

Torsion also monitors permissions and keeps them current using Attribute Based Access Control (ABAC), meaning only the people meet specific criteria, such as location, team or job function, have access. The permissions are automatically updated as people move around, join or leave an organisation.

It’s basically an automated DSPM tool that sits as an extra tab within the Microsoft 365 interface labelled ‘Sharing & security’ (we’re a Microsoft partner) but then it runs autonomously – monitoring files, finding hidden data, revoking out of date access, sending quick alerts to business users if something doesn’t look right and providing a complete 360 overview of ‘who has access to what, and why’.

As soon as Torsion is plugged into your Microsoft 365 system, it flags all out of date files, folders and sites, including those hidden in nested folders that you didn’t even know existed. These contain the data that you DON’T want Copilot pulling information from and so by having visibility of them, you can easily clean them up and be safe in the knowledge that Copilot is only accessing relevant and current data.

How to stay in control of Microsoft 365 data access governance with Copilot

If you’re going to be adopting Copilot in your organisation, talk to Torsion simultaneously. Torsion can be up and running within hours, highlighting those hidden and out of date files – leaving you to max out on the features and benefits of Copilot with complete confidence.

Watch our short on demand demo here.